Greetings fellow students:)
I've recently downloaded Metasploitable & Kali on Oracle virtualbox, and i'm now learning how to use metasploit on servers ( the server is metasploitable ). Now i'm abit confused on which exploit i should use.
All the ports are open and running all kinds of software ( apache,samba,etc) Now i dont know which/find The right exploit / payload i should use for the appropiated running software. I have read a few parts of the metasploit how to's but it doesnt really explain how to know which one to use.If anyone got a link on how to find the right one's or a nice explanation. That would be great!
3 Responses
Metasploitable is a Linux distribution with numerous vulnerabilities. Of course, you can use the Samba vulnerability, but you should do your recon to learn what it is vulnerable to. You need to imagine that this is a real system and you need to FIND the vulnerabilities.
Ill get your point, would you suggest for a starter hacker Who has never exploited or used metasploit on systems to start right away with metasploitable to hack the ftp, apache,samba services which i never have practical expierence with? Or would it be smarter to start with a easier OS like Windows xp?
By the way, I'm a real beginner and never did such kind of things like hacking so i'm abit confused when you say "Linux distribution with numerous vulnerabilities" . isnt it supposed to be to check what service is running on what port and exploit that service instead of finding the OS build of the linux server ( this case metasploitable) and use a vulnerabilitie for that?
Metasploitable is definitely the best vulnerable machine to get hands on with metasploit and experiment different ways to have a remote access to the system.
If you scan the metasploitable machine with a vulnerability scanner , you would find that the machine has numerous open services and ports. Every service is running an older and unpatched version that you can exploit.
You can use a vulnerabilty scanners like open-vas or nessus. There are many tutz on the web to get ready.
You can also have a different and more manual approach by scanning metasploitable with nmap which will give you the running services version. Then you search CVE associated with those services/version.
You are making a little confusion about vulnerability and exploiting.
A vulnerability is something you can give take an advantage on.
Exploiting is using a vulnerability to penetrate the system.
Be ethic and Have fun :)
Share Your Thoughts